US Offers up to $10 Million for Info on Cyber Attacks in Montenegro

The US embassy in Montenegro has placed billboards on several locations in the capital Podgorica, offering up to $10 million for information on cyber attacks in Montenegro operated against American interests.

The billboards seek information about ransomware attacks on state information systems, interference in elections, or “malicious cyber activities against critical American infrastructure”. Montenegro has been part of NATO since 2017.

The announcement is written in Montenegrin and Russian and aims to attract “technologically skilled individuals who currently live in Montenegro and know about the attacks”, as the embassy in Montenegro told Radio Free Europe, RFE.

The billboards say that “’recent malicious cyber activities in Montenegro indicate the need to protect digital ecosystem”, likely referring to the cyber attacks from August last year targeting a host of government services in Montenegro.

Authorities in Montenegro still have no definitive answer as to who was behind the attacks which compromised various public services, including the websites of the government and the Revenue and Customs Administration.

In August last year, National Security Agency said Russia was to blame but offered no evidence. Then, the government stated that it was actually the work of a cybercriminal extortion group named Cuba Ransomware. In the end, authorities could not determine precisely who the perpetrator was, despite the assistance of the FBI and the French National Cybersecurity Agency, ANSSI.

The award is part of the U.S State Department program, “Rewards for Justice”, ongoing since 1984. The mission of the program, as stated by the State Department, is to protect Americans and US national security. It rewards information on terrorism, foreign-linked interference in US elections, foreign-directed malicious cyber activities against the US and activities that support North Korea.

Last year, a report by the European Bank for Reconstruction and Development, EBRD, characterized Montenegro’s “digital maturity” level as “basic” and recommended cybersecurity requirements for all digital service providers. Cybersecurity Ventures, one of the world’s leading publishers in the field, predicts the annual cost of global cybercrime will reach $10.5 trillion by 2025, up from $3 trillion in 2015.

Turkish Fraudster Seeks to Delete BIRN Investigation Into Citizenship Acquisition

A representative of Turkish businessman Yasam Ayavefe – a convicted fraudster who was revealed in an investigation by BIRN and Greek media partner Solomon to have acquired honorary Greek citizenship via his political ties – has asked BIRN to delete its report.

He also urged BIRN to delete articles about cyberattacks that targeted the Balkan Insight website after the publication of the investigation.

“These kinds of posts affect the business life of my client [Ayavefe]. He has invested in so many countries and posts like this cause my client material and moral damage,” Bener Ljutviovski, who introduced himself as Ayavefe’s representative, told BIRN in an email.

His request for the removal of BIRN’s reports came after Turkish courts, in two separate judgments in Istanbul and Ankara, ruled that Turkish online media articles about based Ayavefe’s activities in gambling, crime and business in Cyprus, Greece and Turkey should be removed.

The Turkish court rulings said that Ayavefe’s rights had been violated by the articles, citing “the presumption of innocence”.

BIRN has confirmed that at least 114 news pieces about Ayavefe have been removed from Turkish websites as a result.

Ljutviovski also said that a case had been launched in Greece to ask websites to remove articles about Ayavefe, but after checking with judicial authorities in Greece, BIRN could not verify this.

Ljutviovski further claimed that Ayavefe won a case in Greece to have arrests removed from his criminal record.

He said that all this proved that Ayavefe “has nothing to do with these accusations” and that he was being accused “without any proof” of being connected to the DDoS attacks on BIRN’s Balkan Insight website and Solomon’s site after the publication of the investigation.

He called on BIRN to take down the articles in line with the Turkish court rulings although one of the judgments clearly stated that domestic courts cannot remove content of “foreign origin”.

“Please help us in this situation and let’s fix this without prolonging… We are open to suggestions from your side,” Ljutviovski wrote.

He appeared to offer BIRN financial incentives in return for compliance: “My client Dr. Yasam Ayavefe has advertising company, if you help us in this case we can provide advertising service to your organisation, so you can grow to bigger organisation. We would love to cooperate with you,” he wrote.

BIRN declined Ljutviovski’s offer and rejected his repeated demands to remove the articles about Ayavefe.

Ljutviovski sent a series of requests to BIRN, initially from an email address under his own name but then from an email address under the name Igor Stefanov.

BIRN and its Greek partner media outlet Solomon’s websites came under DDoS attack by hackers in 2022 following the publication of the investigation into Ayavefe and how he acquired honorary Greek citizenship.

Solomon said on Twitter at the time that honorary citizenship is “a state honour long reserved for those who have significantly promoted Greek culture”, but has been “turned into a golden visa scheme for those with deep pockets”.

The investigative outlet Inside Story first broke the honorary citizenship story in July 2022, triggering a fierce debate over Ayavefe’s suitability for such an honour. Inside Story also came under DDoS attack after publishing its report on Ayavefe.

‘Like Swiss Cheese’: North Macedonia’s Institutions Face Uphill Battle Plugging Online Defences

From targeted DDoS attacks blocking access to key sites and data to the hijacking of entire websites and suspected theft of sensitive data, North Macedonia has experienced it all in the past few years.

The government and the Interior Ministry say they are hard at work strengthening defence mechanisms against such malevolent online players. The US and EU have jumped in to help as well, providing both technical and training assistance.

And, in late June, Interior Minister Oliver Spasovski said they had raised the salaries of employees in the ministry’s department of telecommunications and informatics and in the digital forensics section by 30 per cent.

“These people are really needed,” the minister said, admitting that the country as a whole must invest much more in boosting cyber security.

But while at central level the Interior, Defence and Information Society Ministries seem busy boosting security teams and shaping more capable teams of experts ready to offer competent response to threats, the more than 1,000 state or local government-run institutions, public enterprises and agencies, who are often the targets of such attacks, remain wide open.

“There, the situation is dire and harder to fix. For a long time, the issue of cyber security has been neglected in these institutions so their online presence and especially the issue of safeguarding it, have been an afterthought for the many heads and directors who often did not, and do not, understand the matter,” said Dejan Sokoloski, an IT expert and author of the IT.mk website.

As BIRN found out, some of these institutions lack any specialized IT security personnel and rely on just a few staffers to maintain their sites. Some have offloaded this work to private companies that often do not satisfy their needs.

“These institutions are often the first line of defence when it comes to preventing or intercepting cyber-attacks. If they had a secure and competently maintained web presences, we could say half of the job is done. But they don’t, so they are the weakest link – a ‘Swiss cheese’ of vulnerabilities and holes that need to be plugged,” Sokoloski added.


Photo by EPA/RITCHIE B. TONGO

Late realization of the threats

The Public Transportation Utility, JSP Skopje, is a public utility company under the City of Skopje that operates commuter bus services in the capital.

Among others, it provides online services to their commuters like buying tickets, and a GPS system tracks all the buses and informs users when the next bus will arrive at their station.

With just one successful attack, the transport system in the capital of more than half-a-million people could suffer greatly. However, the company told BIRN that while it has experts to maintain the system, it lacks specialized cyber security experts.

“We are constantly striving to upgrade our cyber security and the quality of our online services … and we hope that in the next city budget [for 2024] there will be funds to hire dedicated experts in IT security. So far, we’ve relied on help and instructions from the central authorities,” JSP told BIRN in a written response.

The National Information Agency, MIA, is in a similarly vulnerable position. This agency, which receives central government funds and was formed by a decision of parliament, was targeted by a DDoS attack in 2020 during the last parliamentary elections. Together with the Central Electoral Commission, its website was not functional for almost two days after voting day.

The agency still relies on a skeleton team of two general IT experts employed simply to maintain the website.


Photo by EPA-EFE/SASCHA STEINBACH

USB stick is all you need

Vladimir Stajovic, a cyber security expert who has been engaged in a private IT company from North Macedonia that offers its services to public enterprises and agencies, says such a qualified workforce that would answer needs does not exist yet in North Macedonia.

“The general population thinks all IT experts are the same and that they know everything, when in reality security experts are highly focused and skilled on this area alone – and are hard to find,” he said.

“We have many people employed in the IT sector, and that is our advantage if we want to invest in specializing some of them for security, but when it comes to existing security experts, they are mostly working abroad because the salaries there are much higher,” he explained.

Stajovic said a common misconception among clients is that they can quickly fix breaches and vulnerabilities after an attack has already happened.

“We’re not plumbers. We cannot fix a leaking faucet in five minutes in an apartment that has been neglected for decades and where the entire plumbing is rusty.

“The solution is much more regular maintainance of the entire system and updating and migrating the vulnerable files onto more secure and up-to-date platforms and servers. That needs a lot of programming, work, money and testing, and even then, nothing is 100-per-cent secure when it comes to cyber space,” he noted.

Stajovic says that, from his experience, many institutions in North Macedonia are so vulnerable that even a group of high school students could breach defences and wreak havoc in important organisations that employ hundreds of people.

Stressing the need to keep a constant guard and keep up with the latest threats, he mentioned the recent appearance of a USB stick available online for just over $100 US.

It sounds like something straight out of a spy movie.

“All it takes is for someone to physically enter an institution and put this stick in any USB port on any PC. The system falsely recognizes it as a normal peripheral, like a mouse or a keyboard, and then its malicious software, that may be programed for various activities like gathering data, deleting files or doing something else, starts working and can spread undetected,” he said.


North Macedonia’s Digital Society Ministry presented this year a plan for better and safer digitization of the administration. Photo by Information Society Ministry of North Macedonia

Not a hypothetical threat

North Macedonia is no stranger to cyber attacks.

To name just a few, in July 2020 a DDoS attack rendered the site of the State Electoral Commission useless for several days.

The attack delayed the announcement of the official results of tightly contested parliamentary elections, so the Commission had to improvise by releasing partial results through YouTube clips instead.

To make matters worse, the country’s most popular news aggregator, TIME.mk, experienced a similar attack at the same time.

Later that month hackers took down the sites of the Health and Education ministries.

In September 2021, a population headcount was marred by a slew of technical problems that forced many of the census takers to sit idle for days. Initially, authorities suspected a cyber attack but later said they had been misinterpreted. However, this only revealed the many weaknesses of all-too important systems.

In August 2022, the government’s site for public services, uslugi.gov.mk, was downed for almost two days.

Earlier, in February 2022, the Education Ministry reported another attack – but insisted that a video published on Twitter by a notorious group calling itself “Powerful Greek Army”, purportedly recorded by the ministry’s security cameras, was a fake.


Skopje. Photo by EPA-EFE/GEORGI LICOVSKI

Solutions must come ‘step by step’

North Macedonia has a total of almost 1,300 public institutions, data from the Information Society Ministry show. Most are in the area of education, healthcare, state administration, communal enterprises and culture.

Slightly more than half of these institutions are at a local municipal level while the rest come under the central authorities.

By time of publication, BIRN was not able to determine how many of them have permanently employed dedicated IT security stuff, or how many rely on private companies to do the work for them.

“We are at the forefront, so to speak, in this effort to boost cyber security across all of our state apparatus. We are aware of the acuteness of the problem but the solutions will come step by step,” said the Information Society Ministry.

It added that along with other government ministries they have already formed so-called quick response teams of IT security experts and that such teams are especially present within the Interior and Defence Ministries.

“Our particular part of the job is to also provide training and help to the many institutions you mentioned and that is underway,” the ministry informed.

“Trainings and communication for them are available, we are working on standardizing the platforms they are using in the online sphere.”

The Ministry also sees potential to speed up the process as many people employed in the country’s IT sector, if motivated correctly, could be trained in security.

So far, though, there is no projection about how much it would cost to train these new experts and motivate them to stay in the country for a better salary, or how long that could take.

Turkish Citizens’ Personal Data Offered Online After Govt Site Hacked

A website called sorgupaneli.org is offering to provide Turkish citizens’ private data that was stolen from the e-Devlet government services website, even claiming to be able to offer President Recep Tayyip Erdogan’s personal information.

The hacked information that is being offered for free by the website in return for a membership signup includes ID numbers, phone numbers and information about people’s family members.

More sensitive information, including full addresses, real estate deeds and education details, is being offered with a paid premium membership.

When BIRN accessed the website, it said that the personal data on offer includes information about high-ranking state and government officials including Erdogan and Turkey’s main opposition leader Kemal Kilicdaroglu.

Experts said that the data theft is the biggest yet in Turkey and constitutes a major digital security problem.

“First and foremost, access to this website should be blocked. Following this, a full-scale investigation should be launched,” Sule Ozsoy Boyunsuz, a professor of constitutional law, told HALK TV.

The Turkish authorities have so far remained silent on the issue and the website remains accessible although it often crashes due to the high demand putting pressure on its servers.

e-Devlet, which means e-government, is the main public administration portal in Turkey, and includes personal information including details about education, health, banking credentials and tax status.

For several years, the e-Devlet website has been criticised for not being secure enough, but the authorities have dismissed the claims.

Amid Growing Cyber Threat, Experts Urge Montenegro to Invest in Talent

In early May, a text message arrived on the phones of a number of people in Montenegro saying that a parcel had arrived, delivered by the Serbian postal service Posta Srbije, and telling them to click on a link for instructions on how to receive it.

The link opened a webpage where the user was asked to enter their bank card details, but it had nothing to do with Posta Srbije. The text was in fact the latest in a string of phishing attacks targeting individuals in Montenegro, attacks that authorities say are becoming increasingly common.

According to Montenegro’s Cyber Incident Response Team, CIRT, 684 such incidents were reported last year, up from 672 in 2021. In 2011, there was just one registered cyber-attack. Of the 684 last year, malware constituted the most common type of attack.

Experts see raising awareness among members of the public as vital to minimising the impact of such scams, but, said Adis Balota, a professor at the Faculty of Information Technologies in Podgorica, “alone this will not solve the cyber security problem”.

In August last year, a major cyber assault on Montenegrin state institutions paralysed parts of the public sector and underscored the tiny NATO country’s vulnerability to cybercrime.

Almost a year on, experts like Balota say Montenegro must invest much more in its defences and in recruiting the IT security expertise that the public sector currently lacks.

“Unfortunately, from the negative examples of the past year, it can be concluded that the state information systems are currently the most threatened,” Balota told BIRN.

“I’m of the opinion that in order to solve this problem, the government of Montenegro should make a strategic departure from the current way of developing, implementing and maintaining information systems in state bodies.”


Montenegro’s Cyber Incident Response Team, CIRT, data on cyber attacks since 2011. Infographic: BIRN/Igor Vujcic.

Experts needed

The August 2022 attack infected dozens of computers in 10 state institutions and knocked offline a host of public services.

Within days, the National Security Agency pointed the finger of blame at Russia, which Montenegro has long accused of trying to thwart its Western integration ambitions, but offered no evidence; then a cabinet minister said it was in fact the work of Cuba Ransomware, a cybercrime extortion group.

Months later, the National Security Council announced that, “given the specific nature and complexity” of the attack, it had been unable to determine exactly who was behind it, despite the assistance of the FBI in the United States and the French National Cybersecurity Agency, ANSSI.

Powerful as it was, the attack was only the most high-profile of many.

Late last year, even the police were forced to warn the public not to respond to emails purportedly from the then director of the Police Administration, Zoran Brdjanin, or open their attachments, saying they “may contain malicious content”.

A week later, police said they had registered a similar scam via emails claiming to be sent by the head of the criminal police in the Podgorica Security Department, Zoran Basanovic.

The ultimate goal, police said, was “fraud and obtaining financial benefit”.

Over the past few years, Montenegro has also seen a rise in fake prize games on social media, generated via fake websites and asking users to submit photos of their ID cards or follow instructions sent by email.

Balota cautioned that, while Montenegro has cyber security strategies on paper, their implementation is another matter.

The biggest problem, he told BIRN, is the failure to recruit and retain highly-specialised experts in the field of Information and Communications Technology, ICT.

“Such experts cannot be motivated with the salaries of civil servants and state employees,” Balota said. “The motivation of serious and educated personnel to work in state bodies is an extremely important goal.”

If a clear recruitment strategy were in place, “the financial resources for basic functioning could be provided, either from the state budget or from international projects,” he said. “In relation to other parts of the state budget, the amount of money that would be necessary is negligible.”

Instead, “there is a lack of vision, professional staff, specialist training, accompanying finances, and, in the end or at the outset, political will.”


Major cyber threats in Montenegro since 2016. Timeline: BIRN/Igor Vujcic.

Attacks will get ‘more aggressive’

The first big cyber-attack on Montenegrin state bodies occurred in 2016, on the day of parliamentary elections. Then, just as last year, authorities rushed to blame Russia for the Denial-of-Service, DDoS, attacks, with Moscow at the time angered by the prospect of Montenegro’s imminent accession to NATO.

Four days later, another attack targeted parliament’s servers. The following year, 2017, the government reported a new wave of attacks on its portal and sub-portals of state bodies. Blame was laid at the feet of Fancy Bear, a notorious Russian cyber espionage group.

Balota said the government should create a “centralised body or institution at the state level, which would coordinate and manage all IT projects at the level of state bodies and administration bodies”.

This, he said, “would certainly contribute to the rational use of all available resources, to monitor trends and allow the benefits of all implemented solutions to be measured”.

Training will be key, he said.

“Each subsequent attack will be even more aggressive and have greater consequences,” said Balota. 

BIRD Community

Are you a professional journalist or a media worker looking for an easily searchable and comprehensive database and interested in safely (re)connecting with more than thousands of colleagues from Southeastern and Central Europe?

We created BIRD Community, a place where you can have it all!

Join Now